ls-remote reports gnutls_handshake() failed

[danieldietsch]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us what version of Renovate you run.

37.26.0

If you're self-hosting Renovate, select which platform you are using.

Gitea or Forgejo

Was this something which used to work for you, and then stopped?

It used to work, and then stopped

Describe the problem

After updating Gitea to 1.20.5, renovate cannot access repositories anymore.

The log shows:

Attaching to renovate_renovate_1
renovate_1  | DEBUG: Using RE2 as regex engine
renovate_1  | DEBUG: Parsing configs
renovate_1  | DEBUG: Checking for config file in /usr/src/app/config.js
renovate_1  | DEBUG: No config file found on disk - skipping
renovate_1  | 37.26.0
renovate_1  | DEBUG: Using RE2 as regex engine
renovate_1  | DEBUG: Parsing configs
renovate_1  | DEBUG: Checking for config file in /usr/src/app/config.js
renovate_1  | DEBUG: No config file found on disk - skipping
renovate_1  | DEBUG: Converting GITHUB_COM_TOKEN into a global host rule
renovate_1  | DEBUG: File config
renovate_1  |        "config": {}
renovate_1  | DEBUG: CLI config
renovate_1  |        "config": {
renovate_1  |          "onboarding": true,
renovate_1  |          "platform": "gitea",
renovate_1  |          "endpoint": "https://<domain>/api/v1",
renovate_1  |          "username": "renovate",
renovate_1  |          "autodiscover": true
renovate_1  |        }
renovate_1  | DEBUG: Env config
renovate_1  |        "config": {
renovate_1  |          "hostRules": [
renovate_1  |            {"hostType": "github", "matchHost": "github.com", "token": "***********"}
renovate_1  |          ],
renovate_1  |          "token": "***********"
renovate_1  |        }
renovate_1  | DEBUG: Combined config
renovate_1  |        "config": {
renovate_1  |          "hostRules": [
renovate_1  |            {"hostType": "github", "matchHost": "github.com", "token": "***********"}
renovate_1  |          ],
renovate_1  |          "token": "***********",
renovate_1  |          "onboarding": true,
renovate_1  |          "platform": "gitea",
renovate_1  |          "endpoint": "https://<domain>/api/v1",
renovate_1  |          "username": "renovate",
renovate_1  |          "autodiscover": true
renovate_1  |        }
renovate_1  | DEBUG: Adding trailing slash to endpoint
renovate_1  | DEBUG: Found valid git version: 2.42.0
renovate_1  | DEBUG: Using platform gitAuthor: renovate bot <<email>>
renovate_1  | DEBUG: Adding token authentication for <domain> (hostType=gitea) to hostRules
renovate_1  | DEBUG: Using baseDir: /tmp/renovate
renovate_1  | DEBUG: Using cacheDir: /tmp/renovate/cache
renovate_1  | DEBUG: Using containerbaseDir: /tmp/renovate/cache/containerbase
renovate_1  | DEBUG: Initializing Renovate internal cache into /tmp/renovate/cache/renovate/renovate-cache-v1
renovate_1  | DEBUG: Commits limit = null
renovate_1  | DEBUG: Setting global hostRules
renovate_1  | DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
renovate_1  | DEBUG: Adding token authentication for <domain> (hostType=gitea) to hostRules
renovate_1  | DEBUG: validatePresets()
renovate_1  | DEBUG: Auto-discovering Gitea repositories
renovate_1  |  INFO: Autodiscovered repositories
renovate_1  |        "length": 1,
renovate_1  |        "repositories": ["<org/repo>"]
renovate_1  | DEBUG: Reinitializing hostRules for repo
renovate_1  | DEBUG: Clearing hostRules
renovate_1  | DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
renovate_1  | DEBUG: Adding token authentication for <domain> (hostType=gitea) to hostRules
renovate_1  |  INFO: Repository started (repository=<org/repo>)
renovate_1  |        "renovateVersion": "37.26.0"
renovate_1  | DEBUG: Using localDir: /tmp/renovate/repos/gitea/<org/repo> (repository=<org/repo>)
renovate_1  | DEBUG: PackageFiles.clear() - Package files deleted (repository=<org/repo>)
renovate_1  | DEBUG: <org/repo> default branch = staging (repository=<org/repo>)
renovate_1  | DEBUG: Using HTTP URL: https://<domain>/<org/repo>.git (repository=<org/repo>)
renovate_1  | DEBUG: Git function thrown (repository=<org/repo>)
renovate_1  |        "err": {
renovate_1  |          "task": {
renovate_1  |            "commands": [
renovate_1  |              "ls-remote",
renovate_1  |              "--heads",
renovate_1  |              "https://**redacted**@<domain>/<org/repo>.git"
renovate_1  |            ],
renovate_1  |            "format": "utf-8",
renovate_1  |            "parser": "[function]"
renovate_1  |          },
renovate_1  |          "message": "fatal: unable to access 'https://<domain>/<org/repo>.git/': gnutls_handshake() failed: Error in protocol version\n",
renovate_1  |          "stack": "Error: fatal: unable to access 'https://<domain>/<org/repo>.git/': gnutls_handshake() failed: Error in protocol version\n\n    at Object.action (/opt/containerbase/tools/renovate/37.26.0/node_modules/simple-git/src/lib/plugins/error-detection.plugin.ts:42:29)\n    at PluginStore.exec (/opt/containerbase/tools/renovate/37.26.0/node_modules/simple-git/src/lib/plugins/plugin-store.ts:29:29)\n    at /opt/containerbase/tools/renovate/37.26.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:127:42\n    at new Promise (<anonymous>)\n    at GitExecutorChain.handleTaskData (/opt/containerbase/tools/renovate/37.26.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:124:14)\n    at GitExecutorChain.<anonymous> (/opt/containerbase/tools/renovate/37.26.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:100:40)\n    at Generator.next (<anonymous>)\n    at fulfilled (/opt/containerbase/tools/renovate/37.26.0/node_modules/simple-git/dist/cjs/index.js:55:24)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)"
renovate_1  |        }

Using git ls-remote --heads https://<token>@<domain>/<org>/<repo>.git/ with git 2.42.0 on another machine works:

GIT_CURL_VERBOSE=1 git ls-remote --heads https://<token>@<domain>/<org>/<repo>.git/
Info: processing: https://<token>@<domain>/<org>/<repo>.git/info/refs?service=git-upload-pack
Info: Couldn't find host <domain> in the (nil) file; using defaults
Info:   Trying <ip>:443...
Info: Connected to <domain> (<ip>) port 443
Info: ALPN: offers h2,http/1.1
Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
Info:  CAfile: /etc/ssl/certs/ca-bundle.crt
Info:  CApath: none
Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
Info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
Info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
Info: TLSv1.3 (IN), TLS handshake, Certificate (11):
Info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
Info: TLSv1.3 (IN), TLS handshake, Finished (20):
Info: TLSv1.3 (OUT), TLS handshake, Finished (20):
Info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
Info: ALPN: server accepted h2
Info: Server certificate:
Info:  subject: CN=<domain>
Info:  start date: Sep  6 19:49:43 2023 GMT
Info:  expire date: Dec  5 19:49:42 2023 GMT
Info:  subjectAltName: host "<domain>" matched cert's "<domain>"
Info:  issuer: ...
Info:  SSL certificate verify ok.
Info: using HTTP/2
Info: h2 [:method: GET]
Info: h2 [:scheme: https]
Info: h2 [:authority: <domain>]
Info: h2 [:path: /<org>/<repo>.git/info/refs?service=git-upload-pack]
Info: h2 [user-agent: git/2.42.0]
Info: h2 [accept: */*]
Info: h2 [accept-encoding: deflate, gzip, br, zstd]
Info: h2 [pragma: no-cache]
Info: h2 [git-protocol: version=2]
Info: Using Stream ID: 1
....

Unfortunately, the whole Gitea instance is private and I don't have an alternative minimal repository.

Relevant debug logs

See above

Have you created a minimal reproduction repository?

I have explained in the description why a minimal reproduction is impossible

[viceice]

try the git command from the renovate image

[danieldietsch]

With GIT_CURL_VERBOSE=1, I get this from inside the image:

Starting renovate_renovate_1 ... done
Attaching to renovate_renovate_1
renovate_1  | 21:20:49.365524 http.c:820              == Info: Couldn't find host <domain> in the .netrc file; using defaults
renovate_1  | 21:20:49.369320 http.c:820              == Info:   Trying <ip>:443...
renovate_1  | 21:20:49.369327 http.c:820              == Info: TCP_NODELAY set
renovate_1  | 21:20:49.369406 http.c:820              == Info: Connected to <domain> (<ip>) port 443 (#0)
renovate_1  | 21:20:52.456409 http.c:820              == Info: found 411 certificates in /etc/ssl/certs
renovate_1  | 21:20:52.456592 http.c:820              == Info: ALPN, offering h2
renovate_1  | 21:20:52.456601 http.c:820              == Info: ALPN, offering http/1.1
renovate_1  | 21:20:52.458885 http.c:820              == Info: gnutls_handshake() failed: Error in protocol version
renovate_1  | 21:20:52.458913 http.c:820              == Info: Closing connection 0
renovate_1  | fatal: unable to access 'https://<domain>/<org>/<repo>.git/': gnutls_handshake() failed: Error in protocol version

[danieldietsch]

You are right, I will try and find such a host.

Nevertheless, the curl binary inside the image is

curl --version
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08

[rarkins]

Good find! curl is installed here: https://github.com/containerbase/base/blob/e2921ce8f1aadde0f212687da7cb3029b1dbd53d/src/usr/local/bin/install-containerbase#L66

It appears to be the default curl version for Ubuntu 20.04:

❯ docker run --rm -it ubuntu:20.04 /bin/bash
root@bf445a13fbde:/# apt-get update && apt-get install -y curl && curl --version

...

curl 7.68.0 (aarch64-unknown-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

If so then you'd expect this to be a much wider problem than just Renovate's

[danieldietsch]

Yes, but I am still not really convinced that this is the issue. The curl binary in the image has no problems establishing a connection.
Just git seems to be troubled.

But I can no provide a public host: the public Gitea demo instance also faces the same issue.
GIT_CURL_VERBOSE=1 git ls-remote --heads https://try.gitea.io/aln/mqtt-connectors.git (or any other repository from that instance) also reports gnutls_handshake() failed using the git binary from inside the image.
Using that line from a git binary on another machine (but also with 2.42.0) works as expected.
curl -v -L "https://try.gitea.io/aln/mqtt-connectors.git" -o /dev/null -s from the image also works as expected (establish connection).

[viceice]

which curl version are you using on that other machine?

[danieldietsch]

See below; in the other images its also curl 7.68.0.

[viceice]

These tools are built using https://github.com/containerbase/base

Based on https://github.com/containerbase/base/blob/e2921ce8f1aadde0f212687da7cb3029b1dbd53d/src/usr/local/containerbase/tools/git.sh it seems like the latest git is installed every time. @viceice am I understanding that correctly?

If you think containerbase has a problem with old libcurl version, please try to find a public host which reproduces the same problem. At this point we still don't know for sure if this problem affects many hosts, only gitea hosts, or only your host.

yes, we use latest tools.

I guess that the git version in this image is not compiled with a recent libcurl, hence not supporting SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256.

No, it works, i've tested on github

>GIT_CURL_VERBOSE=1 git ls-remote https://github.com/renovatebot/renovate.git HEAD
09:13:35.881478 http.c:820              == Info: Couldn't find host github.com in the .netrc file; using defaults
09:13:35.885526 http.c:820              == Info:   Trying 140.82.121.3:443...
09:13:35.885545 http.c:820              == Info: TCP_NODELAY set
09:13:35.913777 http.c:820              == Info: Connected to github.com (140.82.121.3) port 443 (#0)
09:13:35.928256 http.c:820              == Info: found 411 certificates in /etc/ssl/certs
09:13:35.928309 http.c:820              == Info: ALPN, offering h2
09:13:35.928321 http.c:820              == Info: ALPN, offering http/1.1
09:13:35.955177 http.c:820              == Info: SSL connection using TLS1.3 / ECDHE_RSA_AES_128_GCM_SHA256
09:13:35.955725 http.c:820              == Info:         server certificate verification OK
09:13:35.955741 http.c:820              == Info:         server certificate status verification SKIPPED
09:13:35.955793 http.c:820              == Info:         common name: github.com (matched)
09:13:35.955806 http.c:820              == Info:         server certificate expiration date OK
09:13:35.955808 http.c:820              == Info:         server certificate activation date OK
09:13:35.955813 http.c:820              == Info:         certificate public key: EC/ECDSA
09:13:35.955826 http.c:820              == Info:         certificate version: #3
09:13:35.955847 http.c:820              == Info:         subject: C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com
09:13:35.955852 http.c:820              == Info:         start date: Tue, 14 Feb 2023 00:00:00 GMT
09:13:35.955855 http.c:820              == Info:         expire date: Thu, 14 Mar 2024 23:59:59 GMT
09:13:35.955863 http.c:820              == Info:         issuer: C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
09:13:35.955878 http.c:820              == Info: ALPN, server accepted to use h2
09:13:35.955903 http.c:820              == Info: Using HTTP2, server supports multi-use
09:13:35.955918 http.c:820              == Info: Connection state changed (HTTP/2 confirmed)
09:13:35.955923 http.c:820              == Info: Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
09:13:35.955981 http.c:820              == Info: Using Stream ID: 1 (easy handle 0x5638d47d4460)
09:13:35.956017 http.c:767              => Send header, 0000000237 bytes (0x000000ed)
09:13:35.956036 http.c:779              => Send header: GET /renovatebot/renovate.git/info/refs?service=git-upload-pack HTTP/2
09:13:35.956045 http.c:779              => Send header: Host: github.com
09:13:35.956047 http.c:779              => Send header: user-agent: git/2.42.0
09:13:35.956048 http.c:779              => Send header: accept: */*
09:13:35.956049 http.c:779              => Send header: accept-encoding: deflate, gzip, br
09:13:35.956050 http.c:779              => Send header: accept-language: C, *;q=0.9
09:13:35.956052 http.c:779              => Send header: pragma: no-cache
09:13:35.956053 http.c:779              => Send header: git-protocol: version=2
09:13:35.956054 http.c:779              => Send header:
09:13:35.981863 http.c:820              == Info: Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
09:13:36.125941 http.c:767              <= Recv header, 0000000013 bytes (0x0000000d)
09:13:36.125968 http.c:779              <= Recv header: HTTP/2 200
09:13:36.125972 http.c:767              <= Recv header, 0000000026 bytes (0x0000001a)
09:13:36.125974 http.c:779              <= Recv header: server: GitHub-Babel/3.0
09:13:36.125977 http.c:767              <= Recv header, 0000000059 bytes (0x0000003b)
09:13:36.125978 http.c:779              <= Recv header: content-type: application/x-git-upload-pack-advertisement
09:13:36.125980 http.c:767              <= Recv header, 0000000054 bytes (0x00000036)
09:13:36.125982 http.c:779              <= Recv header: content-security-policy: default-src 'none'; sandbox
09:13:36.125997 http.c:767              <= Recv header, 0000000040 bytes (0x00000028)
09:13:36.126001 http.c:779              <= Recv header: expires: Fri, 01 Jan 1980 00:00:00 GMT
09:13:36.126003 http.c:767              <= Recv header, 0000000018 bytes (0x00000012)
09:13:36.126005 http.c:779              <= Recv header: pragma: no-cache
09:13:36.126006 http.c:767              <= Recv header, 0000000053 bytes (0x00000035)
09:13:36.126008 http.c:779              <= Recv header: cache-control: no-cache, max-age=0, must-revalidate
09:13:36.126010 http.c:767              <= Recv header, 0000000023 bytes (0x00000017)
09:13:36.126012 http.c:779              <= Recv header: vary: Accept-Encoding
09:13:36.126014 http.c:767              <= Recv header, 0000000037 bytes (0x00000025)
09:13:36.126015 http.c:779              <= Recv header: date: Wed, 18 Oct 2023 09:13:36 GMT
09:13:36.126017 http.c:767              <= Recv header, 0000000023 bytes (0x00000017)
09:13:36.126018 http.c:779              <= Recv header: x-frame-options: DENY
09:13:36.126020 http.c:767              <= Recv header, 0000000057 bytes (0x00000039)
09:13:36.126032 http.c:779              <= Recv header: x-github-request-id: CB8E:D078:29B74C1:2A5563C:652FA1BF
09:13:36.126035 http.c:767              <= Recv header, 0000000002 bytes (0x00000002)
09:13:36.126036 http.c:779              <= Recv header:
09:13:36.126051 http.c:820              == Info: Connection #0 to host github.com left intact
09:13:36.126206 http.c:820              == Info: Couldn't find host github.com in the .netrc file; using defaults
09:13:36.126235 http.c:820              == Info: Found bundle for host github.com: 0x5638d47bee90 [can multiplex]
09:13:36.126253 http.c:820              == Info: Re-using existing connection! (#0) with host github.com
09:13:36.126267 http.c:820              == Info: Connected to github.com (140.82.121.3) port 443 (#0)
09:13:36.126288 http.c:820              == Info: Using Stream ID: 3 (easy handle 0x5638d47d4460)
09:13:36.126352 http.c:767              => Send header, 0000000309 bytes (0x00000135)
09:13:36.126373 http.c:779              => Send header: POST /renovatebot/renovate.git/git-upload-pack HTTP/2
09:13:36.126375 http.c:779              => Send header: Host: github.com
09:13:36.126377 http.c:779              => Send header: user-agent: git/2.42.0
09:13:36.126379 http.c:779              => Send header: accept-encoding: deflate, gzip, br
09:13:36.126390 http.c:779              => Send header: content-type: application/x-git-upload-pack-request
09:13:36.126392 http.c:779              => Send header: accept: application/x-git-upload-pack-result
09:13:36.126394 http.c:779              => Send header: accept-language: C, *;q=0.9
09:13:36.126395 http.c:779              => Send header: git-protocol: version=2
09:13:36.126396 http.c:779              => Send header: content-length: 102
09:13:36.126397 http.c:779              => Send header:
09:13:36.126426 http.c:820              == Info: We are completely uploaded and fine
09:13:36.304312 http.c:767              <= Recv header, 0000000013 bytes (0x0000000d)
09:13:36.304332 http.c:779              <= Recv header: HTTP/2 200
09:13:36.304335 http.c:767              <= Recv header, 0000000026 bytes (0x0000001a)
09:13:36.304337 http.c:779              <= Recv header: server: GitHub-Babel/3.0
09:13:36.304348 http.c:767              <= Recv header, 0000000052 bytes (0x00000034)
09:13:36.304350 http.c:779              <= Recv header: content-type: application/x-git-upload-pack-result
09:13:36.304352 http.c:767              <= Recv header, 0000000054 bytes (0x00000036)
09:13:36.304353 http.c:779              <= Recv header: content-security-policy: default-src 'none'; sandbox
09:13:36.304355 http.c:767              <= Recv header, 0000000040 bytes (0x00000028)
09:13:36.304357 http.c:779              <= Recv header: expires: Fri, 01 Jan 1980 00:00:00 GMT
09:13:36.304359 http.c:767              <= Recv header, 0000000018 bytes (0x00000012)
09:13:36.304360 http.c:779              <= Recv header: pragma: no-cache
09:13:36.304362 http.c:767              <= Recv header, 0000000053 bytes (0x00000035)
09:13:36.304363 http.c:779              <= Recv header: cache-control: no-cache, max-age=0, must-revalidate
09:13:36.304364 http.c:767              <= Recv header, 0000000023 bytes (0x00000017)
09:13:36.304365 http.c:779              <= Recv header: vary: Accept-Encoding
09:13:36.304374 http.c:767              <= Recv header, 0000000037 bytes (0x00000025)
09:13:36.304375 http.c:779              <= Recv header: date: Wed, 18 Oct 2023 09:13:36 GMT
09:13:36.304376 http.c:767              <= Recv header, 0000000023 bytes (0x00000017)
09:13:36.304378 http.c:779              <= Recv header: x-frame-options: DENY
09:13:36.304379 http.c:767              <= Recv header, 0000000057 bytes (0x00000039)
09:13:36.304380 http.c:779              <= Recv header: x-github-request-id: CB8E:D078:29B75F3:2A55789:652FA1C0
09:13:36.304381 http.c:767              <= Recv header, 0000000002 bytes (0x00000002)
09:13:36.304383 http.c:779              <= Recv header:
09:13:36.496599 http.c:820              == Info: Connection #0 to host github.com left intact
f2267cca38c19d1eff49da5fe3b069b6c0cb5eac        HEAD

so it's definetly something on your environment and not on renovate side.

[danieldietsch]

Ok, I now tried with the images containerbase/base:9.23.4 and ubuntu:20.04. For both,
GIT_CURL_VERBOSE=1 git ls-remote --heads https://try.gitea.io/aln/mqtt-connectors.git
and
curl -v -L "https://try.gitea.io/aln/mqtt-connectors.git" -o /dev/null -s
work as expected.

[rarkins]

So the images work fine with try.gitea.io but do not work fine with your self-hosted gitea?

[danieldietsch]

No, these (containerbase, ubuntu) images work fine with both. renovate's image does not work with either of them.

[viceice]

the ghcr.io/renovate bot/renovate image is working fine on try.gitea.io

[danieldietsch]

Ok, after spending way too much time on this issue, I created a new image based on renovate-slim where I recompiled git with openssl instead of gnutls as backend. With this, everything works as expected.

It seems like in somewhat complex reverse proxy setups, gnutls has issues, but I did not figure out what would be needed to fix them.

If someone stumbles upon this:

• Use the helpful script provided here: https://raw.githubusercontent.com/niko-dunixi/git-openssl-shellscript/main/compile-git-with-openssl.sh
• Use a Dockerfile similar to this one:

FROM renovate/renovate:37.27.0

USER 0
WORKDIR /
COPY compile-git-with-openssl.sh /compile-git-with-openssl.sh
RUN bash compile-git-with-openssl.sh --skip-tests --build-dir=git-openssl/
USER 1000

[danieldietsch]

Which version of Traefik are you using? We are on traefik:v2.10.5.

[749]

Also v2.10.5

[viceice]

I'm too: docker.io/amd64/traefik:v2.10.5 and i'm also using letsencrypt certificates (manually deployed via kubernetes secrets)

[lascaps]

I also experienced issues with Renovate, GitLab, and Traefik. The following discussion helped me resolve the problem: traefik/traefik#10198.

As suggested in the discussion, I removed the curvePreferences:

curvePreferences:
  - CurveP521
  - CurveP384

This fixed the issue for me.

[ChristianLempa]

@lascaps this seems to be an issue with the CurveP384 and CurveP521. Adding CurveP256 did it for me.

[johanneskastl]

I am hitting this issue using both the slim and normal images from ghcr.io/renovatebot/. The internal Forgejo instance is reachable via HTTPS using a Let's encrypt certificate.

Using curl inside the container works, but the ls-remote call fails:

"message": "fatal: unable to access 'https://<redacted>Renovate_helm-charts.git/': gnutls_handshake() failed: Error in protocol version\n",

Any idea what could cause this?

[viceice]

it's an issue with your setup, not a renovate issue.

SSL issues also occur when your network has wrong mtu settings. eg if you've some kind of udp based ip tunnel which allows a too big mtu. this causes failing tls handshake or time-outs.

use the trace env vars above to debug further.

[johanneskastl]

Thanks for the hints, I'll try to debug.
It is just that everything else works perfectly with Forgejo running in a Kubernetes cluster, it is only renovatebot that seems to have issues for $REASONS.

[viceice]

🤷‍♂️ your error message isn't helpful either, it's a very generic message and no other user has that issue with our official images.

please open a new discussion for further help about your error.

[johanneskastl]

For the record, I seem to hit the same snag that @danieldietsch hit. Everything works fine as soon as I use an image that has git linked to openssl, not gnutls...

[viceice]

There is nothining we can do about that